AI Governance, Privacy, Information Security CISO, CPO, DPO Sr Counsel
Resume:
Doug Knehr
Esq. (NJ, DC), JD, MBA, BS, CISSP, FIP, CIPM, CIPP/US
609-***-**** Contact@DougKnehr https://www.linkedin.com/in/doug-knehr/ Portfolio: https://dougknehr.wordpress.com/
Training Link: AI, Security, Privacy
PRIVACY, DATA PROTECTION, INFORMATION SECURITY, AI GOVERNANCE
Differentiators:
Privacy + Information Security + AI Governance
(IAPP- FIP, CIPM, CIPP ) + CISSP + Expertise gained in AI, ML/Analytics @ 10 Multinational orgs)
Cross-functional SME skill set: Senior Counsel Privacy Cybersecurity, AI Governance
CPO (Chief Privacy Officer)
DPO (Data Protection Officer)
AI Governance SME
Past programs matured: Yahoo, CSWG (Albertsons Kroger’s Spinoff), Infosys, DTCC, Santander, Avanade, Acoustic, Mondelez, Clorox, and Lucira Health
Continuous Learner: Training - See the complete list of 300+ privacy, security & AI training exercises in the training linked document
Recent Accomplishment: $26 Billion Merger as v-CPO / v-CISO (Governance ) (Privacy & Security Governance SME)
In the last 3.5 months of 2024, while under FTC, court, seller, and executive M&A team scrutiny, for the largest merger in the USA in Nov 2024 ($26 billion), I designed and directed the operationalizing of 26 platforms for privacy, information security governance, data protection, incident response and a future ML/AI governance program for a 600-location acquisition developing and implementing processes, technologies, and budget, managing the activities of 2 global consulting organizations and 3 law firms.
Value: I’ve been hired to execute. During the past 10 years, my skills have not been limited by the technology at one company, nor limited by a drafting-only focus (to the detriment of executing and operationalizing programs), nor limited by the four corners of a contract engagement. I possess in-depth, cross-functional operational expertise gained from successfully executing massive privacy and information security transformations at 10 multinational organizations during both pre-crisis and crisis stages at the Chief Privacy Officer, Chief Information Security Officer, Data Protection Officer, and Senior Counsel Cybersecurity and Privacy levels.
EDUCATION
Degree-JD, School-Stetson (Doctoral Degree)
Degree MBA, School-Rutgers Graduate School of Management
Degree-BS, School-Rutgers University Cook College, NJ
CERTIFICATIONS & TRAINING
Privacy Trainings
OneTrust: Assessment Automation
OneTrust: Consent & Preference Management
OneTrust: Data Mapping
OneTrust: Data Discovery
OneTrust: Assessment Automation
OneTrust: Data Subject Requests
OneTrust Incident Response
Nymity Trust Arc – significant training over 10 years
See numerous privacy trainings in the trainings section at end of the resume
Privacy Certifications:
IAPP-Fellow of Information Privacy (FIP) 2017
IAPP-Certified Information Privacy Manager (CIPM) 2014
IAPP-Certified Information Privacy Professional (CIPP/US) 2014
Cybersecurity Certifications:
Certified Information Security System Professional (CISSP) 2015
Cybersecurity Trainings
SumoLogic & Splunk Training
Extensive GRC Trainings
See hundreds of security trainings in the trainings section at end of the resume
AI Artificial Intelligence and ML Machine Learning Certs & Trainings
See numerous AI training in the training lin
AWARDS
DPO Group Avanade 2019 Data Protection Officer Rockstar Award
CISO Group Avanade 2019 CISO Incident Response Superhero Award
FRAMEWORK EXPERTISE
Privacy framework expertise: EU(GDPR + EU regs), USA (CCPA, CPRA, VCDPA, UCPA), PCI, CAN-SPAM, TCPA, CASL, Privacy Shield, HIPAA
NIST SP 800-63 Digital Identities
Technologies -Privacy: GRC: Archer, Metric Stream, ZenGRC, Unified Compliance Framework, OneTrust, Nymity TrustArc, DPOrganizer, Integris,
BigID,
Security framework expertise NIST 800-53, ISO 270**-*****, 27701:2019, NY Shield, NYDFS 500, OWASP,DORA, NIS2, SOC 2 Certification
NERC, Breach and Attack Simulation MITRE ATT&CK framework
Identity Protocols/ Standards: OAuth2, OpenID Connect, SAML, SCIM, authentication systems, and modern IAM platforms.
Technologies-Cybersecurity Microsoft Cloud Access Security Broker (CASB), QRadar, Radarfirst, Alation, Microsoft O365 Safety & Compliance Center,
Azure Rights Management, Microsoft Purview and MS data protection technologies, Splunk, Sumo Logic
AI frameworks: NIST AI Risk Management Framework, EU AI Act, ISO 42001,SR 11-7,ASOP 56, AI conformity Assessments
AI Governance Tools: Familiar with: Lumenova AI, Fiddler AI,AI Contract/Vendor Agreement Review
VIBE CODING PROJECTS
Vibe coded a GPC (Global Privacy Control) tester
SPECIALTY AI SECURITY, AI PRIVACY & AI GOVERNANCE TRAINING
Significant training in AI-related data protection, security and privacy protections (See 300+ training exercises in cover)
Training Link: AI, Security, Privacy
EXPERIENCE
Position: AI training (AI Security Governance and Privacy-focused)
Company: Freelance
Dates: November 2024 - Present
Location: City-Remote, State-NJ
Key Achievements: Ready forward deployment issues for AI governance scaling (privacy, cybersecurity, governance focus)
Operationalizing: EU AI Act, NIST AI Risk Mgmnt Framework, DORA, NJDPA, Texas DPSA, India DPA, Genius Act
Position : v-CPO Privacy, v-CISO-G -Privacy,Data Protection, Incident Response,
Information Security Governance Expert (Consultant)(Contract)
Company: CSWG (Multi-billion $ US Merger/Sale Pre-Launch Efforts)
Dates: August 2024 to November, 2024
Key Accomplishments: Saved $26B M&A launch timeline by operationalizing 26 governance platforms in 3.5 months.
Operationalized 26 platforms in under 3.5 months for a greenfield privacy, information security, and AI
governance program, saving the launch date of a $26 billion M&A spinoff
My ability to align technology initiatives with business objectives is at such a level of mastery within privacy, information security, data protection, and AI governance that during these 3.5 months, while under FTC, court, seller, and executive M&A team scrutiny, for the largest merger in the USA in Nov 2024 ($26 billion), I designed and operationalized the data protection, privacy, information security governance, and incident response program for a 600-location acquisition, developing people, processes, technologies, and budget, website functionality as well as full back-office processes, managing the activities of 2+ global consulting organizations and multiple law firms.
TOM-Create target operating model for data protection,security grc and policy, incident response and privacy
Resources-Create resource plan and functional relationship plan
Platforms-Develop and begin implementation of 26+ platforms for information security governance, privacy and data protection effecting change management and innovation
Selected and operationalized security GRC tooling and begin control implementation for alignment with WISP and CMMC leveling
Selected and operationalized a full privacy suite of technologies in OneTrust, Trust Arc and other platforms:
ROPA (Records of Processing Activities)
Cookie preference
Consent and preference management
PIA, DPIA, LITs
Data protection technologies (Microsoft)(data sensitivity classification, data discovery, data labeling, data loss prevention)
Retention and data classification platforms
Strategized and drafted the following:
Written Information Security Program
Integrated Incident Response Program and playbooks
Integrated Incident Response Program documentation and playbooks
Data classification tables
Data Privacy Program documentation
Created GRC control foundation and policy development for the following:
Cybersecurity Business Plan
Continuity of Operations Plan
Cybersecurity Risk Assessment Template
Cybersecurity SCRM Strategy & Implementation Plan
Cybersecurity Operating Procedures
Information Assurance Program
Risk Management and Insider Threat Program
Secure Baseline Configurations
Secure Engineering & Data Privacy
Vulnerability & Patch Management Program
KPI development and extensive project management to meet business objectives in a hyper compressed time frame
Aligned WISP security practices documentation with the HIPAA privacy practices documentation, HIPAA, NPP, consumer-facing CCPA, CPRA compliant privacy statement, HR candidate privacy statement, applicant privacy statement and just-in-time consent disclosures
Position : Senior Counsel- Privacy and Cybersecurity (Forensic Stage Contract)
Company: Infosys Ltd
Dates: January 2024 to March, 2024
Location: City-Remote, State-NJ
Key Accomplishments: Managed the forensic stage of a multimillion-person cyber event for an offshore legal team on a 12-hour time
difference, reducing client impact, millions in spend, and readying the organization for mitigation and potential cyber investigation/litigation
Advised during specific initial 3-month period of crisis focused on post-breach crisis management security and privacy efforts
Managed root cause analysis, data subject notifications (notice to data subject, contractual w/ clients, AG regulatory), CISO and enterprise communications as well as managing notification vendors
Advised on cyber litigation and privacy data breach driven SLA and contract claims and notification strategies
Contributed to knowledge needed for attorney general, regulator and securities exchange interactions
Managed forensics reporting artifacts and related disclosure strategies
Position :Principal SME-Data Privacy, Cyber Risk, Data Protection (Consultant)(Contract)
Company: Yahoo
Dates: January 2023 to December 2023
Location: City-Remote, State-NJ
Key Accomplishments: Led 95+ engineering teams across the adtech DSP and SSP to establish a privacy and cyber risk and data protection controls GRC program, replacing the efforts of a previously failed multimillion-dollar big four contract, creating an enterprise-wide impact assessment and revised privacy and data protection control methodology across all DSP, SSP and AI/ML engineering teams at Yahoo
Lead 95+ engineering teams to mature/establish a privacy and cyber risk and data protection controls GRC program via an enterprise-wide impact assessment and change management effort across Yahoo
Developed customized cyber risk reduction and data protection privacy engineering advisory across the Yahoo technical ecosystem with particular emphasis in data science, ML, AI systems
Continuous Improvement SME served as the subject matter expert (SME) collaborating with Legal, Compliance, CISO and AI/Analytics teams to mitigate privacy and data protection engineering control risk.
Critical advisory regarding cookies and technical identifiers with coming of cookie free future
Position: Data Protection Officer-(Interim)
Company: Lucira Health (Medical Device Startup)
Dates: May 2022 to August 2022
Location: City-Remote, State-NJ
Key Accomplishments: Implemented a global privacy and data protection program from the foundation, enabling the launch of product
into the EU and strengthening privacy and data protection globally.
Implemented a global privacy and data protection program from the foundation.
Managed the drafting of global Data Transfer Addendums, Standard Contractual Clauses, Privacy Statements, and Cookie Notices.
Managed multi-country outside counsel and provided product counseling for the multi-country launch, ensuring compliance with regulations such as HIPAA, GDPR, CCPA, PIPEDA, and local privacy laws.
Product counseling for multi country launch (HIPAA, GDPR, CCPA, PIPEDA, Aus, New Zealand, EU)
Served as the sole data protection security expert, creating budgets, and operationalizing various initiatives, including:
DLP (Data Loss Prevention) implementation.
Acting as a Microsoft Data Protection Subject Matter Expert (SME) and utilizing data protection technologies.
Implementing MCAS (Microsoft Cloud App Security) privacy measures.
Conducting data discovery and managing SIEM detection for insider threat data protection.
Establishing GRC (Governance, Risk, and Compliance) foundational programs and a WISP (Written Information Security Program).
Addressing security obligations under Standard Contractual Clauses and distributor agreements.
Conducting HIPAA Security Risk Assessments and utilizing MS and AWS Safety and Compliance technologies.
Providing expert guidance to a 300-person company on NIST, ISO 27001, GDPR, CCPA, CPRA, PIPEDA, HIPAA, and local privacy and data protection laws.
Developing and operationalizing various privacy programs, and budget including:
Incident response program.
ROPA (Records of Processing and Inventory) program.
Cookie technology program.
Consent and preference management program.
Individual Rights Response program, including DSAR (Data Subject Access Request) lookup methodology.
Privacy and data protection research program.
PIA/DPIA (Privacy Impact Assessment/Data Protection Impact Assessment) assessment automation and mitigation efforts.
Data mapping and data flows.
Privacy program product launches.
Establishing both CPO (Chief Privacy Officer) and DPO (Data Protection Officer) offices.
Ensuring security representations in global data transfer addendums.
Drafting legal documents for lawful transfer mechanisms, including SCCS (Standard Contractual Clauses), DTA (Data Transfer Agreements), and DPPs (Data Protection Provisions).
Implementing a retention program (technology and methods).
Utilizing Trust Arc and OneTrust as subject matter experts.
Generating Alation data catalog.
Providing guidance to various business groups on privacy concerns.
Utilizing Big ID for data discovery and policy generation.
Position:Data Protection Privacy (SME) (Consultant)(Contract)
Company: The Clorox Company
Dates: April 2021 to March 2022
Location: City-Remote, State-NJ
Key Accomplishments: Led the successful rebuilding of the privacy program and control-driven efforts utilizing Target Process Online, saving millions in dollars in external professional consultancy spend, reducing enterprise-wide cyber and privacy risk
Privacy & Data Protection
Advised in the complete rebuilding of the privacy program in Target Process Online.
Served as the sole privacy SME, focusing on maturing the technical implementation and engineering underpinning of privacy and data protection within Target Process models.
Implemented privacy processes as an SME and effectively as the Chief Privacy Officer (CPO), including the Privacy Operating Model.
Drafting cyber risk policies, standards, and controls that integrate privacy with information security and data protection controls for the CTO, GC, and CISO teams
Position: Principal Cyber Risk Privacy Subject Matter Expert (Consultant)(Contract)
Company: Mondelez International
Dates: July 2020 to February 2021
Location: City-Remote, State-NJ
Key Accomplishments: Developed cyber risk governance maturity modeling (COSO) and risk quantification for the CISO and
Board of Directors and developed a new control and GRC methodology for the CISO’s global privacy
program, enabling significant risk reduction
Privacy
Advised in the maturing of the privacy program at the domain and control level.
Matured an international Privacy program for the CISO by developing innovative standards, controls, procedures, and metrics that implemented a global privacy framework tied to data security frameworks, resulting in a comprehensive program tailored to the organization.
Created innovative Schrems II solutions by leveraging unique security and privacy framework GRC (Governance, Risk, and Compliance) methodologies.
Advised on the launch of a consent and preference management platform and maturing the Incident Response program.
Drafed policies, standards, and controls for the privacy program.
Cyber Risk
Developed cyber risk governance maturity modeling (COSO) and risk quantification for the CISO and Board of Director committees
Drafting of policies, standards, and controls for the security program.
Policy, standard, control drafting for security program
Position: Chief Privacy Officer – Interim (Consultant)(Contract)
Company: Acoustic (Ad Tech MarTech)
Dates: December 2019 to January 2020
Location: City: New York City, State-NY
Key Achievements: Designed the control and privacy operations for a major email-driven, ad tech organization as part of a
private equity firm purchase
Designed a global privacy program for a private equity startup
Position: Senior Counsel Information Security Privacy
Company: Avanade Inc.
Dates: February 2018 to December 2019
Location: City-Remote, State- NJ
Key Achievements: Successfully operationalized a privacy program, incident response, forensics monitoring oversight
committee, and a GRC platform to fuel information security governance and align with privacy operations, handling numerous cyber and privacy events. This entailed significant operational efforts across 36,000 employees in 23 countries.
Awards: 2019 Data Protection Officer Rockstar Award
2019 CISO Incident Response Superhero Award
Privacy: Directly advised CISO, GC, DPO and all business units on privacy and data security frameworks – Significant Operational Expertise
Privacy Operations & Advisory
Expert development of 24 country Governance Risk Compliance (GRC) privacy program -1 of 3 SMEs (Small Team Greenfield Launch expertise)
Directly advised DPO, GC and CISO on operational privacy initiatives
Expert in GDPR, CCPA, ISO 27701:2019, NIST 800-53, NYDFS and a variety of global privacy and data protection frameworks
Privacy and data protection expert across EU and Americas negotiating and drafting commercial contracts including terms and conditions governing consumer data
Worked daily with product and security engineering teams proactively managing privacy and data protection legal risk
Guiding Data Protection and GDPR (General Data Protection Regulation) strategy implementation teams
ZenGRC, Onetrust, Nymity, TrustArc, SME. Significant expertise across a variety of data protection technologies.
Application of privacy-by-design principles, conducting and documenting privacy assessments, including data privacy impact assessments (DPIAs), legitimate interest assessments (LIAs), international data transfer adequacy assessments, and inbound and outbound privacy and security due diligence.
Created a 24 country jurisdictionally relevant trigger set against GDPR, CCPA, NIST, ISO to effect PIA, DPIA, DPbD
accounting for local country regulation, and the latest jurisdictionally relevant regulatory guidance
Due diligence reviews of regular flow-down assessments within privacy and information security domains to hold processors and sub-processors in compliance against negotiated terms,and served as data privacy expert to ensure flow-downs are current against global regulatory requirements.
Filtered the present state of data protection capabilities with the development of data protection protocols to baseline capabilities and rationalize the same against operating jurisdictions to enhance the speed of the contracting process and reduce compliance risk.
Utilized security monitoring tools, data discovery tooling, data classification tooling to meet privacy regulations and cyber regulatory regulations
Preparation to present security tooling to works councils
Privacy Data Protection & Drafting
Drafted consents, privacy notices, data transfer agreements and other documents for lawful transmission of data.
Drafted Legitimate Interest Tests, PIAs(Privacy Impact), DPIAs (Data Protection Impact Assessments)(including multi country implementing law compliance)
Policy, standard, control drafting for privacy program
Advised on BCR (Binding Corporate Rules), SCC (Std Contractual Clauses)
Modifying legal agreements (DTAs, Model Clauses, Contract Addendums, Notices, Policy)
Contract drafting of data protection protocols, MSA clauses with focus on privacy and security
Creating technologies internally to effect compliance and data protection regulation globally within the organization
Information Security, Cyber Risk & Incident Response
Advised CISO and GC on security frameworks, risk assurance as a SME and counsel for 24 subsidiary entities
Approved crisis management escalation handling for CISO
Guiding the CISO, GC and DPO to integrate GDPR data protection, privacy and cyber security regulatory operational and risk framework requirements into operations.
Cyber wargaming tabletop exercise planning
Resolved privacy and organizational cyber risk incidents internationally for incident response / breach response
Provided expert advice across all major departments international data protection events (incidents) across 24 countries
Risk Assurance and GRC
Expert development of 24 country GRC information security program -1 of 3 SMEs (Small Team Greenfield Launch expertise)
Expert in information security GRC and Privacy GRC (ZenGRC, Archer, Metric Stream, UCF)
Policy, standard, control drafting for security program
Leveraged ISO27701-2019 and Microsoft expertise to design jurisdictionally relevant governance rules including the use of Azure rights management and O365 Safety & Compliance center
Designed privacy and information security by design control sets including within cloud environments
Purple Team type cross functional expert between CISO, DPO, GC (Advised on penetration testing standards and red team / blue team efforts)
Resolved application security control issues and cloud OWASP resolution, especially within incident response handling
Compliance Center controls to effect international data protection governance across 23 countries
Built WISP (written Information Security Program) and data protection plans globally
Threat modeling guidance involving the Mitre Attack framework
Provided guidance on insider threat and detection/deterrents
Recommending technology and technology revisions based on operational, legal and contractual requirements to meet international cyber security and data privacy GRC needs
Implemented technologies as SME (Data Protection, Consent, Encryption, Privacy Tracking)
Position: Chief Information Security Officer CISO (Interim) and
Director of Information Security Governance
Company: Santander Holdings USA & Santander Securities LLC
Dates: August 2017 to January 2018
Location: City-Holmdel, State-NJ
DUAL INTERIM ROLES
Key Achievements: Designed an information security governance, risk, and compliance program for a new holding
company and six subsidiary entities on behalf of CTO and Board of Directors, embedding security and privacy GRC into the 1st line of defense for the six entities, centralizing the holding company governance framework, while allowing for independent operations at the subsidiary level. This significantly reduced risk and millions in overlapped technologies
Designed an information security governance, risk, and compliance program embedded into the 1st Line of Defense for six entities across the USA.
Presented information security governance findings to the Board of Directors at the holding company.
Operationalized data protection efforts within the 1st Line of Defense.
Embedded NYDFS (New York Department of Financial Services) regulations, Privacy by Design principles, and data protection regulations such as GDPR (General Data Protection Regulation), GLBA (Gramm-Leach-Bliley Act), DPbD (Data Protection by Design), state data protection laws, breach notification requirements, data destruction regulations, financial health industry security, and privacy regulations into the 1st Line of Defense.
Served as the Interim CISO for Santander Securities LLC.
Position: Senior Counsel Privacy Information Security (Contract)
Company: Avanade Inc.
Dates: May 2016 to August 2017
Location: City-Remote, State-NJ
Key Achievements: Successfully operationalized a privacy program, separating a $3 billion subsidiary from an
$8 billion parent org,(Accenture (Parent org), establishing independent privacy and DPO functions, directly advising CISO, GC, DPO and all business units on privacy and data security frameworks. This entailed significant operational efforts. Implemented from green fields a GDPR and international data protection privacy program (23 countries).
Implemented and matured incident response platform to integrate privacy and information security.
Implemented and matured a GRC platform
Implemented and matured a Written Information Security Program
Designed a privacy program based on GDPR capable of meeting international data privacy regulatory changes
Implemented from green fields a GDPR and International Data Protection privacy program
Matured SDLC and security assurance efforts (emphasis on pen testing standards)
Led CISO audits across ISO 270**-*****, NIST 800-53 and various NIST control docs, Sans CSC, HIPAA security, privacy controls
Served in both a privacy counsel and senior information security officer capacity for the CISO and GC depts across 23 countries
Advised on technology, privacy and information security aspects for contract matters including Master Services Agreements,
Vendor Agreements, Professional Services Agreements, Work Orders / SOW's, Software Licensing Agreements, NDAs
Reviewed and reduced cyber risk internationally across WISP (written Information Security Program) including but not limited
to SOC, breach management, pen testing procedure review, Disaster Recovery, NIST/ISO framework audit and cyber risk review of broad CISO activities
Designed 23 country GDPR program
Advised on Penetration testing standards
Assessed privacy and information security controls, including BCR (Binding Corporate Rules), SCC (Standard Contractual
Clauses), security monitoring tools, security tools legal requirements, privacy regulations, and cyber regulatory regulations, and rationalized them against works council requirements, international and domestic laws, and operational requirements.
Implemented international privacy and cyber regulatory requirements for international incident and breach response
Recommended technologies to meet international cyber security,data privacy based on operational, legal and contractual
requirements the Guided the CISO and GC suite to integrate GDPR privacy and cyber security regulatory operational and
frameworks into operations.
Provided expert advice across all major departments regarding cyber regulatory risk
Position: Senior Counsel Privacy Information Security (Contract)
Company: DTCC
Dates: July 2015 to December 2015
Location: City-Jersey City, State-NJ
Key Achievements: Operationalized a new privacy data protection-privacy program for a systemically important financial market utility (SIFMU) for the United States, processing $4 quadrillion in annual revenue across a new 18-country footprint (NymityTrust Arc based)
Consultant and counsel providing advice on information security, data privacy, and cyber risk across more than 18 foreign jurisdictions, including the European Economic Area (EEA) and the USA.
Generated technical cyber risk and information security metrics, Key Performance Indicator (KPI) reports, risk data, and enterprise-wide cyber risk reduction strategies.
Provided consultation and counsel on cyber IT controls and data privacy controls.
Supported the development of a data privacy strategy, data transformation roadmap, and long-term strategic priorities for cyber risk reduction through information security and data privacy data transfer initiatives.
Consulted on the revamp of a multi-organization, multi-country information protection and data privacy department, including areas such as vendor management, privacy policy, charter, and daily privacy counseling.
Advanced global cyber security governance by conducting security risk assessments, identifying threats, establishing global reporting systems and procedures for risk, creating training and awareness plans, and integrating risk reporting matrices.
Contributed to cyber investigations, forensics, risk trend analysis, vulnerability exercises, and addressing security operations center (SOC) issues that filtered into the General Counsel's office.
Addressed security awareness, encryption concerns, network security, vendor protection, data protection, and privacy matters.
Engaged in significant international cyber security and data privacy work for numerous business units, from framework development to risk assessment, and provided board-level recommendations.
Contact this candidate